Managed Security Services

MSSP Survey Part 3, Page 3:
Managed Remote Access VPN Services

by Lisa Phifer VP Core Competence, Inc. [January 11, 2005]

Managed Remote Access VPN Services
Most MSSPs participating in this year's survey offer one or more Managed RA VPN services (see table). RA VPNs provide secure connectivity between individual users/hosts and VPN resources. RA VPN services usually connect remote workers—business travelers, day extenders, teleworkers—to their company's network. RA VPNs can also connect business partners (Extranets) or branch office workers (in lieu of site-to-site VPNs). For example, Fiberlink markets its DNA platform to connect customer VPNs to hosts, whether located at branch offices or elsewhere.

As shown in this graph, SSL made a much bigger showing in this year's survey. Of the RA VPN providers participating in our survey, all but two offer an IPsec-based RA VPN service. But 67 percent—double our 2003 turnout—now offer SSL-based RA VPNs. Nine offer both SSL and IPsec-based RA services. Five offer IPsec but not SSL, and two offer SSL but not IPsec. Clearly, SSL hasn't (yet) replaced IPsec. But Infonetics projects that growth in MPLS and SSL will cause IPsec VPN service revenue to drop from 84 percent in 2003 to 62 percent by 2008.

Why this shift towards SSL? On the client side, SSL VPNs leverage standard-issue browsers instead of requiring installed IPsec VPN Client software. When client software is needed, it may be delivered as a Java applet (lightweight client) or an auto-downloaded/temporary Win32 program. Many companies have been drawn to this "clientless" model to reduce IT costs associated with remote desktop support.

However, for managed RA VPN services, the "clientless" cost equation isn't clear-cut. Many of the MSSPs participating in our survey supply pre-configured, web-downloadable IPsec VPN Clients to their customers. Responsibility for client installation may fall to individual end users or the customer's IT department. Moreover, on-going client configuration and updates are often performed by the MSSP as part of the offering. Help desk services may also be provided, either as part of the RA VPN service, or as an added-cost option.

In short, because your MSSP will be shouldering some of the work, don't assume that your in-house IT cost will be higher with IPsec than with SSL. We recommend carefully evaluating specific RA VPN offerings to understand who will be responsible for which tasks. Also consider tradeoffs that lie beyond the scope of this survey, like network vs. application independence, and enabling access from public PCs vs. ensuring endpoint security.

Ultimately, RA VPNs are about providing secure access. The services described in this year's survey have made positive strides on both accounts:

• Most (but not all) of these RA VPN services are access-independent—workers can reach these VPNs over any Internet connection at home, hotels, Wi-Fi hotspots, etc. In addition, AT&T, ClearPath, Fiberlink, MCI, Securalis, and Unisys offer bundled Internet service options. Some include roaming clients that deliver the same experience, whether using dial-up, broadband, or Wi-Fi. Here again, some customers don't want company-paid Internet access. But these MSSPs can deliver connectivity to those that do.
  
  
• Significant improvement can be seen in support for RSA SecurID tokens, client-side digital certificates, managed PKI/Authentication services, and integration with a variety of customer databases. Large enterprises are most likely to benefit from database integration, letting them to retain control over RA credentials by re-using in-house RADIUS, ACE, or LDAP authentication servers. SMBs are more likely to start RA authentication "from scratch"—we recommend adopting stronger auth methods by leveraging Managed PKI/Authentication services. Yes, two-factor tokens and certificates do have a cost—but so do help desk calls for password reset.

On the other hand, older/weaker PPTP and its replacement L2TP are still widely supported by participating providers. We attribute this to platform support: these protocols are present in major RA VPN concentrators and Microsoft PCs, whether customers use them or not. In our next survey, we may ask providers how often these layer 2 tunneling protocols are actually enabled in customer VPN policies.

As in 2003, Nortel Contivity, Cisco 3000/PIX, and CheckPoint are still popular for IPsec RA; Aventail and Netscreen (now Juniper, formerly Neoteris) appear to be most popular for SSL RA. Provider-specific security appliances from SecurePipe, PresiNET, ISS, and ClearPath also appear in this year's list. All but one are CPE-based services, although some MSSPs will optionally host a customer's RA VPN appliance at their POP.

Policy update procedures and log/report access responses were often identical for S2S and RA VPNs. Some differences can be attributed to platform management and monitoring capabilities. For example, Aventail's SSL VPN service (sold by both MCI and Aventail) delivers user trend reporting; Fiberlink offers departmental chargeback/cost accounting reports.

Other differences accommodate ongoing user provisioning required by RA VPNs—for example, MCI's Access Manager. Companies with large workforces should pay special attention to features that let them quickly add/delete users and access data needed for accounting and trouble-shooting.

Finally, take a good look at RA VPN add-ons. Options offered by participating providers include network access, managed authentication services, help desk services, managed personal firewalls, and endpoint security checking. Keep in mind that VPNs are just one component of desktop security; as remote access expands to potentially-hostile environments like public PCs, hotspots, and hotel broadband, it is increasingly important to make sure that "remote endpoints" connected to VPNs are not compromised.

Stay tuned for next week, when we'll take a look at several complementary managed security services: anti-virus, anti-spam, and content filtering.

< Back to page one

< Back to page two: Managed Site to Site VPN Services